From 7b687da7268e26b67a730e4a33edc5ee9d82410c Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 7 Nov 2013 14:40:25 +0100
Subject: [PATCH] profiling: add tracking of missing keywords

---
 src/detect-engine-alert.c     | 13 +++++++++++++
 src/detect-engine-apt-event.c | 10 ++++++++--
 src/detect-engine-file.c      |  6 ++++++
 src/detect-engine-iponly.c    |  2 ++
 src/detect-engine-state.c     |  1 +
 5 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 3d111fd7db..0f12f7d656 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -27,6 +27,8 @@
 #include "flow.h"
 #include "flow-private.h"
 
+#include "util-profiling.h"
+
 /** tag signature we use for tag alerts */
 static Signature g_tag_signature;
 /** tag packet alert structure for tag alerts */
@@ -77,6 +79,7 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det
 
     /* handle suppressions first */
     if (s->sm_lists[DETECT_SM_LIST_SUPPRESS] != NULL) {
+        KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_SUPPRESS);
         sm = NULL;
         do {
             td = SigGetThresholdTypeIter(s, p, &sm, DETECT_SM_LIST_SUPPRESS);
@@ -85,17 +88,21 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det
 
                 /* PacketAlertThreshold returns 2 if the alert is suppressed but
                  * we do need to apply rule actions to the packet. */
+                KEYWORD_PROFILING_START;
                 ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s);
                 if (ret == 0 || ret == 2) {
+                    KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 0);
                     /* It doesn't match threshold, remove it */
                     SCReturnInt(ret);
                 }
+                KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 1);
             }
         } while (sm != NULL);
     }
 
     /* if we're still here, consider thresholding */
     if (s->sm_lists[DETECT_SM_LIST_THRESHOLD] != NULL) {
+        KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_THRESHOLD);
         sm = NULL;
         do {
             td = SigGetThresholdTypeIter(s, p, &sm, DETECT_SM_LIST_THRESHOLD);
@@ -104,11 +111,14 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det
 
                 /* PacketAlertThreshold returns 2 if the alert is suppressed but
                  * we do need to apply rule actions to the packet. */
+                KEYWORD_PROFILING_START;
                 ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s);
                 if (ret == 0 || ret == 2) {
+                    KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD ,0);
                     /* It doesn't match threshold, remove it */
                     SCReturnInt(ret);
                 }
+                KEYWORD_PROFILING_END(det_ctx, DETECT_THRESHOLD, 1);
             }
         } while (sm != NULL);
     }
@@ -238,10 +248,13 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
         if (res > 0) {
             /* Now, if we have an alert, we have to check if we want
              * to tag this session or src/dst host */
+            KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_TMATCH);
             sm = s->sm_lists[DETECT_SM_LIST_TMATCH];
             while (sm) {
                 /* tags are set only for alerts */
+                KEYWORD_PROFILING_START;
                 sigmatch_table[sm->type].Match(NULL, det_ctx, p, s, sm);
+                KEYWORD_PROFILING_END(det_ctx, sm->type, 1);
                 sm = sm->next;
             }
 
diff --git a/src/detect-engine-apt-event.c b/src/detect-engine-apt-event.c
index c7f664d39a..746d3025ff 100644
--- a/src/detect-engine-apt-event.c
+++ b/src/detect-engine-apt-event.c
@@ -28,7 +28,7 @@
 #include "detect-engine-state.h"
 #include "stream.h"
 #include "detect-engine-apt-event.h"
-
+#include "util-profiling.h"
 #include "util-unittest.h"
 
 int DetectEngineAptEventInspect(ThreadVars *tv,
@@ -52,8 +52,13 @@ int DetectEngineAptEventInspect(ThreadVars *tv,
 
     for (sm = s->sm_lists[DETECT_SM_LIST_APP_EVENT]; sm != NULL; sm = sm->next) {
         aled = (DetectAppLayerEventData *)sm->ctx;
-        if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id))
+        KEYWORD_PROFILING_START;
+        if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
+            KEYWORD_PROFILING_END(det_ctx, sm->type, 1);
             continue;
+        }
+
+        KEYWORD_PROFILING_END(det_ctx, sm->type, 0);
         goto end;
     }
 
@@ -73,3 +78,4 @@ int DetectEngineAptEventInspect(ThreadVars *tv,
         }
     }
 }
+
diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c
index 66a1cb13b8..64286d2105 100644
--- a/src/detect-engine-file.c
+++ b/src/detect-engine-file.c
@@ -80,6 +80,7 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
     int match = 0;
     int store_r = 0;
 
+    KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_FILEMATCH);
     SCLogDebug("file inspection... %p", ffc);
 
     if (ffc != NULL) {
@@ -137,8 +138,10 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
                 SCLogDebug("sm %p, sm->next %p", sm, sm->next);
 
                 if (sigmatch_table[sm->type].FileMatch != NULL) {
+                    KEYWORD_PROFILING_START;
                     match = sigmatch_table[sm->type].
                         FileMatch(tv, det_ctx, f, flags, file, s, sm);
+                    KEYWORD_PROFILING_END(det_ctx, sm->type, (match > 0));
                     if (match == 0) {
                         r = 2;
                         break;
@@ -172,8 +175,11 @@ static int DetectFileInspect(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
         {
             DetectFilestoreData *fd = sm->ctx;
             if (fd->scope > FILESTORE_SCOPE_DEFAULT) {
+                KEYWORD_PROFILING_START;
                 match = sigmatch_table[sm->type].
                     FileMatch(tv, det_ctx, f, flags, /* no file */NULL, s, sm);
+                KEYWORD_PROFILING_END(det_ctx, sm->type, (match > 0));
+
                 if (match == 1) {
                     r = 1;
                 }
diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c
index 0bac4d032c..55a280fb74 100644
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@@ -934,6 +934,7 @@ int IPOnlyMatchCompatSMs(ThreadVars *tv,
                          DetectEngineThreadCtx *det_ctx,
                          Signature *s, Packet *p)
 {
+    KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_MATCH);
     SigMatch *sm = s->sm_lists[DETECT_SM_LIST_MATCH];
 
     while (sm != NULL) {
@@ -1077,6 +1078,7 @@ void IPOnlyMatchPacket(ThreadVars *tv,
                                u * 8 + i, s->id, s->msg);
 
                     if (s->sm_lists[DETECT_SM_LIST_POSTMATCH] != NULL) {
+                        KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_POSTMATCH);
                         SigMatch *sm = s->sm_lists[DETECT_SM_LIST_POSTMATCH];
 
                         SCLogDebug("running match functions, sm %p", sm);
diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c
index 39f615c91a..75c3d09610 100644
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@@ -342,6 +342,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB ||
                 alproto == ALPROTO_SMB2))
     {
+        KEYWORD_PROFILING_SET_LIST(det_ctx, DETECT_SM_LIST_DMATCH);
         if (alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) {
             smb_state = (SMBState *)alstate;
             if (smb_state->dcerpc_present &&